Journal of Artificial Intelligence Research 25 (2006) 503-527 



Submitted 6/04; published 4/06 



Fault Tolerant Boolean Satisfiability 

Amitabha Roy aroy@cs.bc.edu 

Computer Science Department, 

Boston College, Chestnut Hill, MA 02467. 



Abstract 

A 5-model is a satisfying assignment of a Boolean formula for which any small alteration, 
i— H such as a single bit flip, can be repaired by flips to some small number of other bits, yielding 

a new satisfying assignment. These satisfying assignments represent robust solutions to 
optimization problems (e.g., scheduling) where it is possible to recover from unforeseen 
Q_i events (e.g., a resource becoming unavailable). The concept of 5- models was introduced by 

Ginsberg, Parkes, and Roy (1998), where it was proved that finding (5-models for general 
Boolean formulas is NP-complcte. In this paper, we extend that result by studying the 
complexity of finding <5-models for classes of Boolean formulas which are known to have 
polynomial time satisfiability solvers. In particular, we examine 2-SAT, Horn-SAT, Affinc- 
SAT, dual-Horn-SAT, 0- valid and 1-valid SAT. We see a wide variation in the complexity of 
finding 5-models, e.g., while 2-SAT and Affine-SAT have polynomial time tests for 5- models, 
testing whether a Horn-SAT formula has one is NP-complete. 

O 

1. Introduction 

J> An important problem in the artificial intelligence community concerns the allocation of 

resources at or near the minimal cost. An optimal solution to such a problem might be 
rendered infeasible due to some unforeseen event (for example, a resource becoming un- 
available or a task exceeding its allocated deadline). Hence, the motivation is to search 
for optimal solutions which are immune from such events. In this paper, we consider the 
complexity of finding such "robust" solutions, where we only allow for a fixed small number 
of bad events, with the added condition that such bad events can be rectified by making a 
small change to the solution. These solutions, which we call (5-models, were introduced by 
Ginsberg et al. (1998), and further explored in Bailleux and Marquis (1999). This approach 
to fault tolerance has been extended to constraint-satisfaction problems (CSPs) (Hebrard, 
Hnich, & Walsh, 2004b, 2004a) and to applications in combinatorial auctions (Holland & 
O'Sullivan, 2004). Hoos and O'Neill (2000) consider this approach to robustness in the 
framework of dynamic satisfiability (which they call DynSAT) where the goal is to be able 
to revise optimal solutions under a constantly changing input problem. 

We extend the initial complexity results in Ginsberg et al. (1998) by looking at the 
theoretical complexity of tractable instances of satisfiability (SAT) identified by Schaefer's 
dichotomy theorem (Schaefer, 1978). The dichotomy theorem proves that the polynomial 
time solvable instances of SAT are 2-SAT, Horn-SAT, dual-Horn-SAT, Affine-SAT, 0-valid 
SAT and 1-valid SAT and any other form is NP-complete. Our goal is to study the com- 
plexity of finding (5-models for the tractable problems identified by the dichotomy theorem. 
We show a wide variation in complexity by type (2-SAT vs Horn-SAT) and by parameter 
(the number of repairs allowed for each break) . 
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Formally, a <5-model of a Boolean formula, called supermodels by Ginsberg et al. (1998), 
is a satisfying assignment (satisfying assignments are usually called models) such that if any 
bit of the assignment is flipped (from to 1 or vice versa), one of the following conditions 
hold: 

(i) either the new assignment is a model or 

(ii) there is at least one other bit that can be flipped to obtain another model. 

Flipping a bit of a S- model is called a break, corresponding to a "bad" event. The bit that is 
flipped to get another satisfying assignment is a repair (we allow that some breaks may not 
need a repair). We also study a generalization of the concept: S(r, s)-models are satisfying 
assignments for which breaks to every set of up to r bits need up to s repairs (to avoid 
trivialities, we require that the repair bits are different from the break bits). 

We let 5-SAT refer to the decision question as to whether an input Boolean formula 
has a 5-model. When we restrict the form of the input Boolean formula, we refer to the 
corresponding decision questions as 5-2-SAT, 5-Horn-SAT etc. The higher degree variants 
of these problems are 5(r, s)-SAT etc. where we consider r and s to be fixed integers. The 
following problems are proved to be NP-complete: 

- <5(r, s)-SAT (Ginsberg et al., 1998), 5(1, s)-2-SAT for s > 1, 

- 5(l,s)-Horn-SAT, 5(1, s)-dual-Horn-SAT, 

- 5(r, s)-0-valid-SAT and S(r, s)-l-valid-SAT. 

In contrast, we prove that the following problems are in P: 

- 5(1, l)-2-SAT, 5(r, s)-Affine-SAT. 

The definition of 5-models does not require that the new model obtained by repairing 
a break to a 5-model is itself a 5-model. We define 5*-models to be 5-models such that 
every break needs at most one repair to obtain another 5-model. Such models represent 
the greatest degree of fault tolerance that can be achieved for the problem. We refer to 
the corresponding decision problems as 5*-SAT, 5*-2-SAT etc. We prove that 5*-SAT is 
in NEXP (non-deterministic exponential time) and is NP-hard, 5*-2-SAT is in P and that 
5*-Affine-SAT is in P. 

Remark. Since our goal in this paper is to study the problems in Schaefer's tractable 
class with respect to fault tolerance, our yardstick to measure complexity is membership 
in P. Hence, we do not concern ourselves with finding the exact running times within P. 
Optimizing runtimes may well prove important for practical applications (at least in the 
rare instances when we find polynomial time algorithms). 

Organization of the paper: In Section 2, we introduce and define the problem and establish 
notation. In Section 3, we study the complexity of finding (5-models of general Boolean 
formulas. In Section 4, we consider the complexity of finding 5-models for restricted classes 
of formulas: we consider 2-SAT (Section 4.1), Horn-SAT (Section 4.2), O-valid-SAT, 1-valid- 
SAT (Section 4.3) and Affine-SAT (Section 4.4). We conclude with a section on future work 
(Section 5). 
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2. Definitions and Notations 

In this section, we establish some of the notation used in the rest of the paper and formally 
define the problems we wish to study. 

A Boolean variable can take on two values - true or false which we write as 1 and 
respectively. A literal is either a variable v or its negation, denoted by (a variable is often 
called a pure literal). A clause is a disjunction ( V ) of literals (for example, v\ V ->V2 V V3 
is a clause). A Boolean formula is a function from some set of Boolean variables V = 
{v 1, t>2, . . . , v n } to {0, 1}. In computational problems, we assume that Boolean formulas are 
input in a canonical fashion: usually as a conjunction ( A ) of clauses (in which case, we say 
that they are in conjunctive normal form (CNF)). 

We consider various forms of CNF formulas. A 2-SAT formula is a Boolean formula in 
CNF with at most 2 literals per clause (more generally, a /c-CNF formula or A;-SAT formula is 
a CNF formula with k literals per clause). A Horn-SAT formula is a Boolean formula in CNF 
where each clause has at most one positive literal (each such clause is called a Horn clause) . 
Equivalently, a Horn clause can be written as an implication ({vi A V2 ■ ■ ■ A v r ) — > u) where 
u,v\,V2, ■ ■ ■ ,v r are pure literals and r > 0. A dual-Horn-SAT formula is a CNF formula 
where each clause has at most one negative literal. An Affine-SAT formula is a CNF formula 
in which each clause is an exclusive-or (©) of its literals or a negation of the exclusive-or of 
its literals (such a clause is satisfied exactly when an odd number of the literals are set to 
1). Equivalently, each clause of an Affine-SAT formula can be written as a linear equation 
over the finite field {0, 1} of 2 elements. 

An assignment is a function X : V — > {0, 1} that assigns a truth value (true or false) to 
each variable in V. Given such an assignment of truth values to V, any Boolean formula <p 
defined over V also inherits a truth value (we denote this by 0(A)), by applying the rules 
of Boolean logic. A model is an assignment X such that 4>{X) is true. We will often treat 
an assignment X as an n-bit vector where the i-th bit, denoted by X(i), 1 < i < n, is the 
truth value of the variable V{. With a slight abuse of notation, we let X{1) denote the value 
of the literal / under the assignment X. 

A 0-valid-SAT (resp. 1-valid-SAT) formula is one which is satisfied by an assignment 
with every variable set to (resp. 1). 

The propositional satisfiability problem is defined as follows: 

Problem (SAT). 

Instance: A Boolean formula (p. 

Question: Does <p have a model ? 

SAT is the canonical example of an ./VP-complete decision problem (for definitions of the 
complexity class NP and completeness, see e.g., Garey & Johnson, 1979; Papadimitriou, 
1994). Many computational difficult problems in artificial intelligence have SAT encodings 
(for example, in planning (Kautz & Selman, 1992)) and so finding heuristic algorithms 
for solving SAT is an important research area in artificial intelligence. Polynomial time 
algorithms are known for SAT when the input instance is either Horn-SAT, dual-Horn-SAT, 
2-SAT, Affine-SAT, 0-valid-SAT or 1-valid-SAT. Schaefer (1978) proved that these are the 
only cases when SAT is solvable in polynomial time, every other case being NP-complete 
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(Schaefer's theorem applies to a more general situation called "generalized satisfiability" 
where the truth value of each clause is determined by a set of constraints specified as a 
relation) . 

We now introduce the concept of fault-tolerant models. Given an n-bit assignment X, 
the operation 5i flips the i-th bit of X (from a to a 1, or vice versa). The operation produces 
a new assignment which we denote by 5i(X). Similarly, if we flip two distinct bits (say bits 
i and j), we write the new assignment as Sij(X) and more generally, 5s (X) represents X 
with the bits in S flipped (where S is some subset of the coordinates {1,2, ... ,n}). 

Definition 2.1. A <5-model of a Boolean formula <fi is a model X of (f> such that for all i, 
1 < i < n, either 

(i) the assignment §i(X) is a model or 

(ii) there is some other bit j, where 1 < j < n and i ^ j, such that Sij(X) is a model. 

In other words, a 5-model is a model such that if any bit is flipped (we call this a break), 
at most one other bit flip is required to produce a new model. The second bit flip is called 
a repair. 

Example 2.1. Let H(n,k) be a Boolean formula defined over n variables v\, V2, ■ ■ ■ , v n , 
whose models are n-bit assignments with exactly k bits set to 1. For example: 



The first clause specifies that at least one bit of a model is 1 and each successive clause 
specifies that if the i-th bit is 1, then every other bit is set to where 1 < i < n. Each 
model of H(n, 1) is a (5-model: any break to a 0-bit has a unique repair (the bit set to 1) 
and a break to the 1-bit has (n — 1) possible repairs (any one of the 0-bits). 

The following decision problem can be interpreted as the fault-tolerant analogue of SAT: 

Problem (<5-SAT). 

Instance: A Boolean formula (f>. 

Question: Does (p have a 5-model ? 

The problem <5-SAT and its variants (when we restrict the form of the input Boolean 
formula) is the focus of this paper. 

We now extend our notion of single repairability to repairability of a sequence of breaks 
to a model. 

Definition 2.2. A 5(r, s)-model of a Boolean formula is a model of (ft such that for every 
choice of at most r bit flips (the "break" set) of the model, there is a disjoint set of at most 
s bits (the "repair" set) that can be flipped to obtain another model of cf). 
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Remark. (i) We view r and s as fixed constants unless otherwise mentioned. To avoid 
redundancies, we have required that the repair set is disjoint from the break set. Since 
we require "at most s bits" for repair, we also allow for the case when no repair or 
fewer than s repairs are needed. 

(ii) Under this definition, 5(1, l)-models are (5-models and we continue to refer to them as 
(5-models for notational simplicity. 

(iii) Similar to the definition of <5-SAT, we can define a decision problem S(r, s)-SAT which 
asks whether an input Boolean formula has a <5(r, s)-model. 

Example 2.2. Each model of H(n, k) (see, e.g., Example 2.1) is also a 5(k, k) model when 
k < n/2. 

Assumptions: In all our discussions, we will assume that every variable of an input Boolean 
formula appears in both positive and negative literals and that an input Boolean formula 
is in clausal form with no variable appearing more than once in a clause (i.e., there is no 
clause of the form v\ V ->vi V i^)- We also assume that in any instance of <5-SAT (or its 
variants), there is no clause which consists of a single literal, since in that case the input 
formula cannot have a <5-model. 

Consider a (5-model A of a Boolean formula and suppose that Y is a model which repairs 
some break to A. Our definition (Definition 2.1) of (5-models does not require that Y itself 
is a (5-model. If we enforce that every break to A is repaired by some (5-model, then not 
only is X tolerant to a single break, but so is the repair. We thus can define a degree of 
fault tolerance. In this setting, models will be fault tolerant of degree 0. Then, (5-models 
will be fault-tolerant of degree 1. More generally, degree- fc fault-tolerant models (which we 
call <5 fc -models) consist of <5 fc_1 fault-tolerant models such that every break is repaired by a 
fik-i mot j e i_ \Ye give the formal definition below. 

Definition 2.3. Let (j) be a Boolean formula. We define 5 k (r, s)-models inductively: <5°(r, s)- 
models are models of <fi. Then for k > 1, <5 fc (r, s)-models of <fi are <5 fc_1 (r, s)-models X of 4> 
such that for every break of at most r coordinates of A, there is a disjoint set of at most s 
coordinates of A that can be flipped to get a (5 fe-1 (r, s)-model of <j>. 

We define the corresponding decision problem 5 k (r, s)-SAT, which asks whether an input 
Boolean formula has a 5 k (r, s)-model. Observe also that by definition a <5 fc (r, s)-model is a 
<5*(r, s)-model for alH, < i < k — 1. 

Example 2.3. Let n > 6 be even and let (j> be the Boolean formula: 



Then the models of <p are vectors with either 0, 2 or 4 variables set to 1. The variables 
in {v2i-i,V2i\ have to have the same truth value (and this forces breaks to have unique 
repairs) . 



4 




k=0 
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We claim that X = (0, 0, . . . , 0) is a 5 2 (1, l)-model of </>. Any break (without loss of 
generality, assume it is to coordinate 1) is repaired by a flip to coordinate 2 (and vice versa). 
The new vector (1, 1, 0, 0, . . . , 0) is itself a 5- model. A break to some other coordinate (say, 
bit 3) has a unique repair (bit 4) to give a model (1, 1, 1, 1, 0, . . . , 0) with 4 l's. This model is 
no longer repairable, since any model has to have at most 4 l's, so a break to any coordinate 
with a (e.g., to bit 5) has no repair. 

Let n > 2 be even. Consider the formula 

(yi = v 2 ) A (v 3 = Vi) ■ ■ ■ A (v n -i = v n ) 

which has 2 n / 2 models. Observe that each model is a (5-model. So these models are S k (l, 1)- 
models for every integer k > 0. We call these models 5* (I, l)-models (as usual, when r = 1 
and s = 1, we denote S*(r, s)-models as (5*-models for simplicity). 

Definition 2.4. Let <f> be a Boolean formula defined over n Boolean variables. Then a 
model of 4> which is a S k (r, s) model for each k > is called a S*(r, s)-model. 

Observe that the set of all <5* -models of 4> form a set M of models which satisfies the 
following properties: 

(i) Each vector in M is a (5-model, i.e., a break to a bit needs at most 1 repair. 

(ii) When any bit of a vector in M is broken, there is some repair (if such a repair is 
needed) such that the new vector is also a member of M. 

We call such sets of (5*-models stable sets of (f>. These stable sets have been studied in 
a combinatorial setting by Luks and Roy (2005). 

Remark. The existence of families of models which satisfy conditions (i) and (ii) above 
may be used to give an alternate definition of <5*-models which is perhaps more natural. 
However, the notion of degrees of repairability and that <5*-models appear as the limit of 
these degrees, is not apparent from this definition, hence we use the formulation leading to 
Definition 2.4. 

The corresponding decision problem, named <5*-SAT, asks whether an input Boolean 
formula has a <5*-model. Note that a "yes" answer to this question implies the existence of 
not one but a family of such models, in particular, a set M as above. 

Complexity Classes: We refer to Papadimitriou (1994) for definitions of basic complexity 
classes like P and NP. A language L is said to be in NEXP if there is a non-deterministic 
Turing machine (NDTM) that decides L in exponential time (exponential in the length of 
the input). A language L is said to be NP-hard if there is a polynomial time reduction 
from SAT to L. A language is NP-complete if it is in NP and is NP-hard. The complexity 
class NL (non-deterministic log space), which is contained in P, consists of languages that 
are accepted by non-deterministic Turing machines using space logarithmic in the size of 
its input. The complexity classes are defined as follows: is NP, for k > 2 is the 
set of languages accepted by a NDTM that has access to an oracle TM for 
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3. Complexity of Finding 5-models 

In this section, we study the computational complexity of finding 5-models for general 
Boolean formulas. 

Theorem 3.1. (Ginsberg et al, 1998) The decision problem 5(r, s)-SAT is NP-complete. 

Remark. The proof technique used in Ginsberg et al. (1998) to prove Theorem 3.1 is used 
to prove other NP-hardness results in this paper, e.g., in Theorem 3.2 and Theorem 4.19. 

Theorem 3.2. The decision problem 5* -SAT is in NEXP and is NP-hard. 

Proof. Since an NDTM can guess a stable set of models (which could be of exponential size) 
and check that it satisfies the required conditions for stability in exponential time, <5*-SAT 
is in NEXP. 

We reduce SAT to <5*-SAT using the same reduction used in the proof of Theorem 3.1 
in Ginsberg et al. (1998): given an instance (ft of SAT, a Boolean formula (ft over n variables 
v±,V2, ■ ■ ■ ,v n , we construct an instance of (5*-SAT: the formula (ft' = (ft V v n+ \ with t> n +i 
being a new variable (to put (ft' in CNF form, we add the variable v n+ \ to each clause in 
the CNF formula (ft). 

Suppose (ft has a model X. We show that (ft' has a <5*-model by showing that it has a 
stable set of models M. Extend X to a model Y of (ft' by setting t> ra +i = 0. Let Xi = 5i(X) 
for 1 < i < n. Extend each assignment Xi to a model Yi of (ft' by setting t> ra +i = 1. Then 
let 

M = {Y,Y 1 ,Y 2 ,...,Y n }. 

We now show that M is a stable set. Suppose some bit j / i, where 1 < j < n of Yi 
is broken, then repair by flipping the i-th bit (in which case, we get the repaired vector 
Yj £ M). If the i-th bit of Yi is broken, the repair is the (n + l)-th bit (and vice versa), in 
which case the repaired vector is Y. If instead the i-th bit of Y is broken, where 1 < i < n, 
then the repair is the (n + l)-th bit (we obtain Yi as the repaired vector in this case). If 
the (n + l)-th bit of Y is broken, we can repair by flipping any of the first n bits. Hence 
M is a stable set of models and so eft' has a 5*-model (in fact, we have exhibited n + 1 such 
models). 

Now we show that if eft' has a 5*-model, then (ft has a model. If eft' has a <5*-model, it 
must have a <5*-model with the (n + l)-th coordinate set to 0. Then the restriction of this 
assignment to v\, ■ ■ ■ , v n has to be a model of (ft. This completes the reduction from 
SAT. □ 

Remark. Note that while every 5*-model is a 5 fc -model for each k > 1, the NP-hardness 
of 5*-SAT (Theorem 3.2) does not imply the NP-hardness of 5 k -SAT (Theorem 3.3 below). 
The reduction used in Theorem 3.2 can however be adapted to prove Theorem 3.3. 

Theorem 3.3. 5 k -SAT is NP-complete, where k>0. 

Proof. When k = 0, this is Cook's Theorem (Garey & Johnson, 1979), so assume that k > 1. 
First observe that <5 fc -SAT is in NP. This is because an NDTM can guess an assignment X 
and check that it is a 6 k (l, l)-model: to check whether A is a 6 k (l, l)-model, it suffices to 
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consider all possible n k break sets, and check that a repair exists for each break applied in 
sequence from the break set. Since k is fixed, this can be done in polynomial time. 

To prove that 5 fc -SAT is NP-hard, we use, once again, the proof technique used in Gins- 
berg et al. (1998) to prove Theorem 3.1. Given an instance <f> of SAT, defined on n variables 
v±,V2, ■ ■ ■ ,v n , we construct <p' = 4> V v n +\ (and modify <p' to a CNF formula), where v n +i is 
a newly introduced variable. The argument used in Theorem 3.2 can now be used to prove 
that (j) is satisfiable iff <fi' has a <5 fc -model. In particular, we construct a stable set of models 
M for 4>' from a single model of 4>. Since a (5*-model is a <5 fc -model, this proves that if <j> is 
satisfiable, then 4>' has a <5*-model. The other direction also follows: if (f>' has a (5 fc -model 
then it has a model with v n+ \ set to 0. The restriction of that model to v\,...,v n is a 
model of (j). □ 

4. Finding 5-models for Restricted Boolean Formulas 

In this section, we consider the complexity of 6(r, s)-SAT for restricted classes of SAT 
formulas which are known to have polynomial-time algorithms for satisfiability: 2-SAT, 
Horn-SAT, dual-Horn-SAT, 0-valid SAT, 1-valid SAT and Affine-SAT. We observe that 
these problems have different complexity of testing fault tolerance. For example, 2-SAT 
and Affine-SAT have polynomial time tests for the existence of (5-models (see Section 4.1 
and 4.4) whereas the same problem is NP-complete for Horn-SAT (Section 4.2). 

4.1 Finding (5-models for 2-SAT 

We now prove that finding ^-models for 2-SAT formulas is in polynomial time. We give 
two independent proofs: the first proof (Section 4.1.1) exploits the structure of the formula 
and the second proof (suggested by a referee) uses CSP (constraint satisfaction problem) 
techniques (Section 4.1.2). In contrast, we show that finding 6(1, s)-models for 2-SAT 
formulas is NP-complete for s > 2 (Section 4.1.3). However, we also show that finding 
£*-models for 2-SAT formulas is in polynomial time (Section 4.1.4). 

4.1.1 Polynomial time algorithm for 6(1, l)-2-SAT 

Notation: Let (j) be an instance of 2-SAT. Following the notation in Papadimitriou (1994), 
we define the directed graph G(4>) = (V, E) as follows: the vertices of the graph are the 
literals of 4> and for each clause U — > lj (where k, lj are literals), there are two directed edges 
(h,lj) and ( -> lj, -> hi) in E. A path in G(4>) is an ordered sequence of vertices (l±, h, ■ ■ ■ , l r ) 
where (li,h+i) £ E for 1 < i < r — 1. We define a simple path in G((f>) to be a path 
(h,h, ■ ■ ■ , l r ) where the literals U involve distinct variables, i.e., U / lj and U / for all 
i / j, where 1 < i, j < r. A simple cycle of G(4>) is a simple path where we allow the start 
and end vertices to be identical. A source vertex (resp. a sink vertex) in G(4>) is a vertex 
with in-degree (resp. out-degree) 0. A vertex I in G(4>) is said to be a /c-ancestor (resp. 
/c-descendant) if there exists a simple path (I, l\,l2, ■ ■ ■ ,h) (resp. (l±, h, ■ ■ ■ , h, 0) °f length 
k in G(<j>). 

The following well-known lemma provides a necessary and sufficient condition for a 
2-SAT formula to be satisfiable. 
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Lemma 4.1. (Papadimitriou, 1994) A 2-S AT formula <f> is unsatisfiable iff there is a vari- 
able x appearing in 4> such that there is a path from x to -*x and a path from -^x to x in 
G(4>). 

If 4> has a 5-model, then G{4>) has further restrictions. 

Lemma 4.2. // a 2- SAT formula <f> has a 5 -model, then there is no path from I to ->l for 
any vertex I in G((f>). 

Proof. If there was a path from I to — > Z in G(<j>), then any satisfying assignment has to set 
/ to false. If we now flip the value of the literal I (by flipping the associated variable), we 
cannot repair to get a model of (f>. □ 

Remark. Lemma 4.2 establishes a necessary condition for a satisfiable 2-SAT formula to 
have a 5-model. Unlike Lemma 4.1, this condition is not sufficient: consider, for example, 
the 2-SAT formula (which also illustrates many of the constraints that have to be satisfied 
if a 5-model exists): 

(vi ->■ v 2 ) A (v 2 ->■ v 3 ) A (v 3 ->■ V4) A (V4 ->■ i> 5 ). 

Any 5-model of this formula has to set v\ to false (otherwise every variable has to be set to 
true and a break to v$ requires more than one repair). Similarly v$ has to set to 1, V2 to 
and V4 to 1. No choice of v 3 will allow a single repair to a break to both v\ or ^5. This 
formula thus does not have a (5-model, yet it satisfies the necessary condition of Lemma 4.2. 

We now establish a necessary and sufficient condition for a model of 2-SAT formula 4> 
to be a 5-model. 

Lemma 4.3. Let <p be a satisfiable 2-SAT formula. Suppose that there is no path from I to 
->l for any vertex I in G{4>). Let X be a model of (p. Then X is a 5-model if and only if it 
satisfies the following conditions: 

(CI) LetV = (h,l2,h) be a simple path inG(4>) of length 2. ThenX{l\) = andX(l 3 ) = 1. 

(C2) If {h,h) and (l\,h) are edges in G{4>), then X , X (fa) , X cannot all be 0. 

Proof. (=>) Suppose A is a 5-model of (p. Let P = (Zi, I2, h) be a simple path of length 2. 
If X{1\) = 1, then X{J,2) = X(l 3 ) = 1, otherwise X cannot be a model of (p. A break to I3 
requires the values of both l\ and I2 to be flipped so X cannot be a 5-model, a contradiction. 
So X(l\) = 0. Similar arguments show that X(l 3 ) = 1. Condition (C2) holds similarly: if 
X (li) , X (I2) , X (I3) were all false, then a break to l\ would require two repairs (both I2 and 
Is). Hence one of them has to be set to true. 

(<^=) Let A be a model of <f> which satisfies conditions (CI) and (C2). We show that 
X is actually a 5-model. Suppose not; say a break to a variable v is not repairable by at 
most one other bit flip. Assume without loss of generality, that X{v) = and so after the 
break, v is set to 1. There must be at least one clause of the form v — > I where I is a literal, 
with X{1) = 0, otherwise the break does not need a response. If there is more than 1 such 
clause, say clauses v — > I and v — > I' with X(l) = X(l') = 0, then X violates condition (C2), 
contradicting the hypothesis. So there is exactly one clause of the form v — > I with X(l) = 
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and moreover, it must be the case that flipping / does not produce a model of 4> (then one 
repair would have sufficed). Now since a flip of the variable associated with I repairs the 
clause v — > I, there must be other clauses that break when I is repaired. Such a clause must 
be of the form Z — > I' for some literal I' with X{V) = 0. We know that V cannot be ->v since 
then we would have a path between v and in G(4>), which violates the hypothesis. Our 
assumption that each clause has distinct literals implies that V 7^ —>l. Hence (v,l,l') is a 
simple path such that X(v) = and X(V) = 0, contradicting condition (CI). Hence X is a 
5-model. □ 

Remark, (i) If <fi has a <5-model, then it is indeed the case that if (v, u) and (w, u) are 
edges of G(<j>), then u, v and w cannot all be set to true in such a 5- model (since a 
break to u is not repairable by a single flip). We do not need to include this condition 
explicitly in Lemma 4.3, because this condition happens if and only if ( —> u, ^v) and 
(-in, -1 w) satisfy condition (C2) in Lemma 4.3. 

(ii) If (f> has a (5-model, then condition (CI) can be extended to specify the values of literals 
(vertices) on any path of length 3 (the maximum possible length, see Corollary 4.4 
below) as follows: if (u±, U2, U3, U4) is a simple path, then apply condition (CI) twice 
to get X(u\) = X{u2) = and X(us) = X(u^) = 1. Thus we do not include this 
condition explicitly. 

Lemma 4.3 has further consequences for G{<p): 

Corollary 4.4. If a 2-SAT formula (ft has a 5-model, then G(4>) satisfies the following 
properties: 

(i) The longest simple path in G(<p) has length at most 3. 

(ii) The longest simple cycle in G{4>) has length at most 2. 
(Hi) A vertex v can take part in at most 1 simple cycle. 

Proof. Suppose that there is a simple path (Zi, h, h, U, h) of length 4 in G(<p). If X is a <5- 
model of </>, Lemma 4.3 implies that X(ls) = 1 when we apply (C2) to the segment (h,fa, I3) 
and X(lz) = when we apply (C2) to the segment (Z3, Z4, Z5). Hence such a (5-model cannot 
exist. The other conditions follow from similar arguments. □ 

Pseudo-code for our algorithm is given in Algorithm (1). Observe that Algorithm (1) 
is a polynomial time reduction from 5- 2-SAT to the satisfiability question of a new 2-SAT 
formula 4>b- Proof of correctness follows. 

We first need to prove the following easy lemma. 

Lemma 4.5. If a 2-SAT formula <fi has a 5-model, then it has a 5-model with each source 
vertex (respectively, sink vertex) in G(<p) set to false (resp. true). 

Proof. Modify a 5-model X of (f> by setting each sink vertex to 1 (and hence each source 
vertex to 0). Let the new assignment be X' . Clearly, X' is still a model of (j) (setting the 
antecedent p, or the consequent q, to 0, or 1 respectively, satisfies every implication p — > q). 
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Algorithm 1 Algorithm for 5-2-SAT 
1: Input: 2-SAT formula <f> 

2: Output: True if <p has a 6(1, l)-model, false otherwise 

3: if 4> is not satisfiable then 
4: return false. 
5: end if 

6: /* Check if necessary condition holds (Lemma 4-2) */ 
7: Construct G(4>) 

8: if there is a path in G(4>) between I and —>l for any literal I then 
9: return false. 
10: end if 

11: 4>b^~ 4> 

12: /* Enforce condition (CI) from Lemma 4-3 */ 
13: for all 2-ancestor vertex I in G(4>) do 

14: (f>B <— (f>B A (-.Z) 

15: end for 

16: /* Force each source (resp. sink) vertex to value (resp. 1) */ 

17: for all source vertices I in G(4>) do 

18: <f> B <r- 4> B A H) 

19: end for 

20: for all sink vertices I in G((f>) do 

21: 4>b ^~ 4>B A (0 
22: end for 

23: /* Enforce condition (C2) from Lemma 4-3 */ 
24: for all 1-ancestors I in G(<p) do 
25: for all pairs of distinct vertices l\, I2 do 
26: if (Mi), (l,h) are edges in G(<j>) then 

27: 4>B^4>B A (Zi V i 2 ) 

28: end if 

29: end for 
30: end for 

31: if (pB is satisfiable then 
32: return true 
33: else 

34: return false 
35: end if 
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We show that this model satisfies condition (CI) and (C2) of Lemma 4.3, thus proving that 
it is a 5-model. If condition (CI) is violated, then there is some simple path (h,l2,h) i n 
G(4>) where X'(h) = 1 or X'(h) = 0. If X'{h) = 1, then X{h) = 1 (suppose not and let 
X(l\) = 0: since is an edge in G(4>), h is not a sink vertex, so its value would not 

have been changed). Similarly, X'(l^) = would imply that X(l^) = 0. Thus X would 
violate condition (CI) with respect to the simple path (h,l2,h) an d could not have been a 
5- model (a contradiction). Condition (C2) similarly holds. □ 

Algorithm (1) adds literals to the input 2-SAT formula (f> to enforce variable assignments 
that must hold if <f> has a 5-model (see Lines 12-15, 24-30 in the body of Algorithm (1)). 
Since we are guaranteed by Lemma 4.3 that these conditions are a necessary and sufficient 
condition for the existence of a 5-model, the satisfiability of the resulting Boolean formula 
would imply that (f> has a (5-model. To simplify the proof of correctness (which is now simply 
Corollary 4.6 below), we enforce that source and label vertices get default values prescribed 
by Lemma 4.5. 

Corollary 4.6. The formula 4>b is satisfiable iff (p has a 5-model. 

Proof. Immediate from Lemma 4.3 and Lemma 4.5. □ 

Example 4.1. Let <fi be the 2-SAT formula: 

(v\ — > v 2 ) A (t> 2 -> ""3) 
(v\ — > V4) A (t>4 — > V3) 
(vi -)• v 5 ) A (t> 5 v 3 ) 

Then Algorithm (1) constructs <pB where 

4>b = 4> a 

(-1^1) A (^3) {added by lines 13-16 in Algorithm (1)) 
A (v2 V V4) A (v2 V V5) A (t>4 V v$) (added by lines 24-31) 
A (-1U2 V -1W4) A (-1^2 V ) A (-1^4 V -1W5) (added by lines 24-31) 

Note that in the construction of G((f)), -if 3 is a 2-ancestor. Since two of the variables 
^2,^4,^5 have to be set to the same value, 4>b is unsatisfiable. Hence <f> does not have a 
5-model. 

Theorem 4.7. In polynomial time, one can determine if a 2-SAT formula has a 5-model 
and find one if it exists. 

Proof. Satisfiability of a 2-SAT formula is in P (Papadimitriou, 1994). Other steps in the 
procedure consist of looping over simple paths of length 3, which can be done in time 0(n 3 ) 
where n is the number of variables. □ 

Remark. It is possible to further characterize the space complexity of 5(1, l)-2-SAT. In 
fact, 5(1, l)-2-SAT is complete for NL (non-deterministic log space). To see that 5(1, l)-2- 
SAT is in NL, observe that Algorithm (1) can be executed in space logarithmic in the input. 
Completeness can be established via a log-space reduction from 2-SAT. Since this result is 
not very relevant in the present context, we leave the details out. 
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4.1.2 An alternative proof of Theorem 4.7 

An alternative proof of Theorem 4.7 was suggested by one of the reviewers. It is possible 
to cast any satisfiability problem as a constraint satisfaction problem (CSP) over binary 
variables. This transformation, particularly when the input instance is a 2-SAT problem, 
produces a CSP for which local consistency (consistency of subproblems involving fewer 
variables) ensures the presence of a global solution. In this framework, asserting that a 
Boolean formula has a 5-model becomes particularly convenient. 

Notation: Let 4> be a Boolean formula in CNF. For a subset S of variables, we let (j>(S) 
denote the subformula of <f) consisting of clauses from (j) which only involve variables in S. 

Definition 4.1. A formula 4> is said to be k- consistent if for every subset S of k— 1 variables, 
every model of (f)(S) can be extended to a model of 4>(S U {v}) for every variable v (i.e., a 
larger subformula of <p involving one more variable). A formula is strong k- consistent if it 
is i-consistent for alH, 1 < i < k. 

Remark. The concept of /c-consistency has other equivalent formulations (Jeavons, Cohen, 
& Cooper, 1998; Dechter, 1992). Since our goal in this paper is to study satisfiability 
exclusively, we rephrase some of the definitions and theorems to apply to our present context. 

Theorem 4.8. (Dechter, 1992) Let be a 2-SAT formula. Then the following hold: 

(a) If (p is strong 3- consistent, then (j) is satisfiable and for any 2 element set S, (j)(S) is 
satisfiable. 

(b) In polynomial time (see e.g., (Jeavons et al., 1998)) one can check whether <f> is 
strong 3-consistent. If 4> is satisfiable but not strong ^-consistent, then one can add 
extra clauses (also in 2-CNF) to <j> in polynomial time such that the resulting 2-SAT 
formula is strong 3- consistent. 

Remark. More generally, given an input Boolean formula <j>, one can establish ^-consistency 
by adding extra constraints that do not change the set of models. This is done by iterating 
over all possible fc-element subsets of variables and solving the subproblem for these vari- 
ables. Clauses are added which restrict the values of any subset of k — 1 variables to only 
those values that can be extended to another variable. If there is a set of k — 1 variables none 
of whose assignments can be extended, then we can conclude <p is unsatisfiable. If not, then 
these extra clauses are added to (j) to make it /c-consistent. Enforcing strong /c-consistency 
(for fixed k) can be accomplished in polynomial time (Jeavons et al., 1998; Dechter, 1992). 

In the special case when ^ is a 2-SAT formula these extra clauses are also binary and so 
we end up with a strong 3-consistent 2-SAT formula (which we denote by (j)) with exactly 
the same models (and hence, the same set of 5- models). 

Notation: For an ordered pair of variables (u, v), we let M^u, v) denote the set of models 
of <p({u,v}). 

Theorem 4.8 (b) implies that we can assume without loss of generality that the input 
is a strong 3-consistent 2-SAT formula <fi. Theorem 4.8 also implies that an assignment X 
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is a model of (p iff (X(u), X(v)) G M^(u,v) for all pairs (u,v). Clearly, we can construct 
all the sets M^u^v) in polynomial time (there are G(n 2 ) such variable tuples, where n is 
the number of variables, and each set M^(u, v) consists of models of a 2-SAT formula with 
at most 2 variables). With a slight abuse of notation, we denote M^(— u, v) to be the set 
{(-a, 0)| (a,^M4v)}. 

Let u be any variable of (p. Let <p u $ = cp A ( _|, u) and </> Uj i = (p A (u). If either U) o or 
is unsatisfiable, then it is clear that <fi cannot have a 5-model. Assume then that both 
(f> u fi and <j) U) i are satisfiable and let 4>u,o and be the corresponding strong 3-consistent 
formulas. Let N u be the set of variable pairs (v, w) such that M^—^ (v, w) n M^~~^ (v, w) = 0. 

Lemma 4.9. Suppose N u / /or some variable u. If (p has a 5 -model, then there is some 
variable v, where v / u, such that v belongs to every pair in N u . 

Proof. If we flip the value of it in a 5-model of <f>, we can repair by flipping at most one 
other variable and we are forced to flip one variable from each pair in N u . This means that 
this repair variable is in every pair of N u . □ 

Lemma 4.9 implies that we may assume that the pairs in N u have a common member. 
We can similarly show: 

Lemma 4.10. Suppose that v is a variable that appears in every pair in N u . Then the 
following hold: 

(i) If there exists a w such that 

then any S-model X of <p has to set X(u) = 0. 

(ii) If there exists a w such that 

Mr— (v, w) n Mr- (-v, w) = 0, 

then any 5-model X of <p has to set X(u) = 1. 

Thus either of the two conditions in Lemma 4.10 force the value of the variable u in any 
5-model of (p. Together Lemmas 4.9 and 4.10 enable us to set the values of the variables 
that are forced (cf. Lemma 4.3). If after setting the values of these variables, we derive a 
contradiction then <p cannot have a 5-model. 

Algorithm (2) provides the detailed description of the algorithm. 

Theorem 4.11. Algorithm (2) decides 6(1, l)-2-SAT in polynomial time. 

Proof. Enforcing 3-consistency is in polynomial time (Dechter, 1992). The outer loop in 
Line 3 executes n times where n is the number of variables. Within the body of the loop, 
calls are made to enforce satisfiability and 3-consistency, along with calls to construct N u 
for the variable u under consideration. Each step takes polynomial time, hence the claim 
follows. □ 

Remark. While Algorithm (2) solves the yes/no problem of testing whether an input 2- 
SAT formula has a (5-model, it is a simple matter to modify the algorithm so that it outputs 
a 5-model if such a model exists. The forced variable assignments along with any satisfying 
assignment of the remaining 2-SAT formula is a 5-model of the input formula. 
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Algorithm 2 Algorithm for 5(1, l)-2-SAT 

1: Input: A strong 3-consistent 2-SAT formula <j) 

2: Output: True if 4> has a 6(1, l)-model, false otherwise 

3: for every variable u do 

4: if 4> u fl or cf> Uj i is unsatisfiable then 

5: Output false. 

6: end if 

7: Find sets Mr— (v, w) and Mr— (v, w) for variables v, w. 

4>u,0 ' <Pu,l ' 

8: Compute N = set of pairs (v, w) such that 

M $ ~~ o (v,w)nM r ~ :i (v,w) = iD. 

9: If the pairs in N do not have a common member, then output false. 

10: if N ^ then 
11: For the common member v, 

12: if there is a variable w such that Mr— (—v, w) PI Mr— (v, w) = then 

13: set (f> = cj) A (-in) 

14: end if 

15: if there is a variable w such that Mr— (v, w) n Mr— (— f, it)) = then 

16: set = 4> A u 

17: end if 

18: end if 

19: Check if </> is satisfiable, if not output false. 

20: If 4> is satisfiable, add extra clauses to 4> to make it 3-consistent. 

21: end for 

22: Output true 
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4.1.3 Complexity of 5(1, s)-2-SAT for s > 2 

Theorem 4.12. The problem 5(l,s)-2-SAT is NP-complete for all s > 1. 

Proof. Clearly this problem is in NP: an NDTM can guess such an assignment and check 
that it is a model and that for every break, there are at most s other bits that can be flipped 
to get a model (since s is fixed a priori, this leads to at most 0(n s ) possible repair sets, a 
polynomial number of choices). 

We prove NP-completeness via a reduction from (s + 1)-SAT. Let 

T = Ci A C 2 . . . A Cm 

be an instance of (s + 1)-SAT where each clause Q is a disjunction of s + 1 literals: 

Vi,l V v iy2 ... V V iyS+ l. 

We construct an instance T' of 5(1, s)-2-SAT as follows: for each clause Ci in T, we 
construct an appropriate 2-SAT formula C[. Our resulting instance of 5(1, s)-2-SAT is a 
conjunction of these 2-SAT formulas. Thus, 



l<i<m 

where C' is a 2-SAT formula defined for each clause C,- as follows: 



C ?= A 

l<j<(s+l) 

A Kj => (4.1) 

l<j<(s+l) 

i<i<«+i i<fc<(s-i) 

where we have introduced l + s(s + l) new variables: Zi and ctij^ for 1 < j < s + 1, 1 < k < s 
to define the gadget C[. The gadget C[ is best understood via Figure (1). 

Let T have a model X. Extend that to a model of T' by setting z% = for all 1 < i < m 
and Oijfi = 1 for all 1 < i < m, 1 < j < s + 1, 1 < k < s. We claim that this is a 
5(1, s)-model of T 1 . Suppose we flip the variable corresponding to literal I. Now we do a 
case analysis of how many repairs are needed: 

• [I = Zi] Since Vi t i V Vi^ ... V Vi jS +i is set true by the model X, we need to flip at most 
s false literals in {v^i, . . . , Observe that no more repairs are necessary. 

• [I = ctijfi] Need to flip a^k' where 1 < k' < k and we might need to flip the variable 
corresponding to Vij if Vij was set to true by X. This repair does not affect the truth 
value of other clauses of T'. Hence we flip at most s variables. 



[I = variable occurring in T] This will flip the value of all literals involving /. Because 
we set every a^fc = 1 and Z{ = 0, no repairs are needed in T' , as each implication 
(clause) of T' still remains true. 
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ViA I'i.j Vi,s+1 



Oii,l,k 



OLi,l, t 



<Xi,j,l 



a i,j,k 



a 



i,3,s 



a i,s+l,l 



a 



i,s+l,s 



Figure 1: Gadget for 2-SAT 



Now suppose T' has a (5(1, s)-model. We show that T has a model. Note that in such a 
model Zi = for all i (otherwise if Zi = 1, then Vij = &i,j,k = 1 an d we will need more than 
s repairs when we flip the value of ck^i^). Now all literals Vj,2 ; • • • ,Vi,s+i} cannot be 
set to 0, since a break to Z{ would again necessitate s + 1 repairs. Hence at least one of the 
literals in {vn,Vi2, ■ ■ ■ ,Vi,s+i} is set to 1. In other words, the clause Cj in T is satisfied. 
Since z; L = for all i, T must have a model. □ 



4.1.4 Complexity of 5*-2-SAT 

In this section, we show that (T-2-SAT is in polynomial time. 

Let (f> be the input 2-SAT formula over n variables. We construct the graph G{<p) as 
described before in Section 4.1.1. Since a (5*-model is by definition also a <5- model, we must 
have the same path restrictions set forth by Lemma 4.3 and Lemma 4.2. If <f> has a <5*-model, 
then G(4>) has further restrictions. 

Lemma 4.13. Let (f> be a 2-SAT formula with a 5* -model. Then every non-trivial simple 
path in G(<p) has length 1. 

Proof. Suppose that (h,l2,h) is a simple path in G((j>) of length 2. Let X be a 5*-model 
of (f>. Because of Lemma 4.3, we know that X(l\) = 0,X(l^) = 1 and this has to be the 
case for all <5*-models. This means that a break to X(l\) cannot be repaired to get another 
<!>*-model. Hence, X cannot be a <5*-model, a contradiction. □ 
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Remark. Note G(<p) may have cycles (h,fo,h), however in that situation, Lemma 4.13 
implies that {^1,^2} must form one connected component. Any <5*-model if it exists assigns 
the same value to h and I2 such that the respective variables form a break-repair pair and are 
independent of the remaining variables. We can thus remove the cycles from consideration. 
So without loss of generality, we assume that G{4>) has no cycles. 

Let R be the vertices in G(4>) with in-degree and B be the vertices with out-degree 
0. Since a vertex cannot have positive in-degree and positive out-degree, this creates a 
bipartition R U B of the vertices of G(cf>), where R, B are disjoint vertex sets and all edges 
in G((f)) are of the form (1,1') with I G R and /' G B. 

Note that if (1,1') is an edge in G(4>), then the out-degree of — 1 Z is 0: otherwise, there 
would be a path of length 2 or a cycle, both of which we have excluded. Hence I G R iff 
-1 1 G B. We also observe that there are no isolated vertices in G(cf>) since every clause is 
a disjunction of distinct literals. This gives a complete graph theoretic characterization of 
the structure of G(<p) when (j) has a <5*-model. 

Now let Yq be an assignment that sets every literal in R false (0) and (hence sets) every 
literal in B true (since we have assumed that every variable appears in both positive and 
negative literals). 

Lemma 4.14. The assignment Yq is a 5* -model. 

Proof. We exhibit a stable set C of models of <f> that contains Yq. Let Y [b (respectively, 
Y Ir) denote the restriction of an assignment Y onto the literals in B (respectively, R). 
Let 

C = {Y j Y [b contains at most one literal set false }. 

Note that if Y [b contains at most one false literal, then Y [r contains at most one true 
literal. Clearly Yq £ C. 

We now show that C is a stable set. Let Y £ C, where Y ^Yq. Suppose that Y sets the 
literal I G R to true and -*l to false in B. If the value of the literal I is flipped, then we get 
Yq (a model in C) and so no repairs are needed. If a different variable is flipped, then this 
creates a new literal I' in R set to true (and —>l' false in B) in the new assignment. Then 
we repair by flipping the value of I from true to false, thereby allowing only one positive 
literal in R. Thus any break to Y is repairable by another model in C. A break to Yq G C 
does not need any repairs. Hence C is a stable set and Yq is a <5*-model. □ 

Theorem 4.15. S*-2-SAT G P. 

Proof. The graph G(4>) can be constructed in polynomial time (in time linear in the size of 
(j)). All conditions needed for the existence of a 5-model can be checked in polynomial time: 
using depth-first search, one can check if the longest simple path of G((f>) has length 1 and 
check whether the subgraph of G without any 2-cycles is bipartite. □ 

4.2 Finding (5-models for Horn-SAT and dual Horn-SAT 

Recall that an instance of Horn-SAT is a Boolean formula in CNF where each clause contains 
at most 1 positive literal. As in 2-SAT, there is a polynomial time algorithm to find a model 
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of a Horn formula (see, e.g., Papadimitriou (1994)). However, unlike the situation in 2- 
SAT, finding 5(1, s)-models for Horn formulas is NP complete for all s > 1. The proof of 
this fact can be easily modified to show that the same problem is NP-complete for dual 
Horn-SAT. 

We first prove a technical lemma which will be used in the NP-completeness proof. 
Define the Boolean formula 4> = 4>(x, y, Pi, ■ ■ ■ , fas) over variables x,y,/3i,..., fiis as follows: 



s-1 

4>(x,y,p 1 ,...,p 2s ) = f\(Pi^Pi+i) 
i=i 

A (ft x) A (ft => y) 

A (x => p s+1 ) A (y P s+1 ) A 

2s- 1 
/\ (Pi^P i+1 ) 
i=s+l 

The formula 4> is best visualized as in Figure (2). Observe that each variable x and y 
appears both as the head and tail of a chain of implications of length s. 



Figure 2: Gadget <f> 



Pi — p2 --* Ps < y Ps+1 — Ps+2 Pis 



The crucial property of this gadget that we use is as follows: 

Lemma 4.16. Let X be a model of (p. Then X is a 5(1, s) -model iff it satisfies x <^ -*y. 

Proof. (<=) Let X be a model of <f>. If x ->y holds for X (i.e., x and y get opposite truth 
values in X), then X has to set all Pi with i < s to (because either x and y is set to 0) 
and all Pj with j > s + 1 to true (because either x or y is set to 1). Then a break to Pi 
with i < s requires repairs to Pj where i < j < s and exactly one of x and y (the variable 
set to 0). Similarly a break to Pi with i > s + 1 requires repairs to Pj, s + 1 < j < i — 1 and 
exactly one of x and y (the variable set to 1). A break to x or y does not need any repairs. 
Since we never need more than s repairs for every break, X is a 5(1, s)-model. 

(=>) Any 5(1, s)-model X of <j) has to set each Pj to where 1 < j < s and each Pj 
to 1 where s + 1 < j < 2s (otherwise more than s repairs are needed for breaks to these 
variables). If both X(x) = X(y) = 0, then a break to Pi (from a to 1) would require 
repairs to P2, P3, ■ ■ ■ , Ps as well as to both x and y, for a total of s + 1 repairs. Hence both 
x and y cannot be false. Similarly, both x and y cannot be true because then a break to 
/?2s would require s + 1 repairs. Hence A satisfies x 44> ->y. □ 

Theorem 4.17. 5(1, s)- Horn- SAT is NP-complete for s> 1. 
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Proof. We prove this via a reduction from 3-SAT. Let T be an instance of 3-SAT, where 
T = A2=i i s defined over n variables x±,X2, ■ ■ ■ ,x n and clause Cj is a disjunction of 3 
distinct literals. Clearly we can assume that every variable appears in both positive and 
negative literals in T (if not, we may set the pure literal to be true or false appropriately 
and consider the resulting formula as T). 

We first apply an intermediate transformation to T. We replace any positive literal 
(say Xj) in C% by a negative literal, ~^x'-, where x 1 - is a new variable not occurring in T. 
The new clause, which now has no positive literal, is denoted by C[. Remembering our 
global assumption that every variable in input Boolean formulas appear in both positive 
and negative literals, we see that this transformation will introduce variables x'j for every 
variable Xj in T. To maintain logical equivalence, we also need to enforce that -> x'j 44> Xj in 
the new formula: so we add the following clauses: (^x'j V -<Xj) and (x'j V Xj). Note that 
these two clauses imply that in any model of this new Boolean formula, Xj and x'j cannot 
have the same truth value. 

Thus we obtain 

T'= A C 'i A V -sOA&VSi)} 

l<i<m l<i<n 

Note that T' is almost Horn (since every clause C\ is Horn) , the only non-Horn clauses are 
the clauses of the form (x{ V x'j). We have introduced n new variables and 2n new clauses, 
so that T' has m + 2n clauses and is defined over 2n variables. Clearly T' is satisfiable iff 
T is satisfiable. 

We now construct an instance T" of 5(1, s)-Horn-SAT from T' such that T" has a 5(1, s)- 
model iff X" is satisfiable. We first introduce s + 1 new variables A\,A2, ... , A s +i. For each 
clause C\ = —>Vi j i V —>Vi t 2 V —>Vi j 3, we construct a formula T^i consisting of a single clause 
(note that at this step, each Vij is a variable of the form x^ or of the form x' k for some 
k, 1 < k < n): 



rj,i = (-<Zi V -noi,! V -1^,2 V -1^,3) (4.3) 

where Z\, Wi t \, wip, are new variables introduced for each clause C[. This step intro- 
duces 4 new variables per clause C[ for a total of 4m new variables. Our next step creates 
formulas that places restrictions on these new variables and ties them in with the vari- 
ables Vij in the original clause. We introduce new variables otij,k f° r eacn clause C[, where 
1 < j < 3, 1 < k < s — 1, these variables forming the intermediate variables in a chain of 
implications of length s from v^j to Wij as below: 

r,,2 =(vi,i => "1,1,1) A (aj,i,i =^ aj,i, 2 ) • • • A (a^i^-i w it i) 

A (ui,2 tti,2,i) A (a ij2 ,i aj,2,2) • • • A (aj, 2 , s _i ^> «; i)2 ) (4.4) 
A (ui,3 ^ a ij3 ,i) A (a!;,3,i ^ a i)3j2 ) ■ ■ ■ A (a i)3jS _i ^ w i)3 ) 

The reader may wish to compare the the gadget ^,2 with a similar gadget C[ in Equa- 
tion (4.1) and shown in Figure (1) that was used in the proof of Theorem 4.12. 
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We also make Zj, one of the new variables introduced in T^i, appear as the head of a 
chain of implications of length s + 1 as shown below in formula r^: 

ri, 3 = (Zi =¥■ A x ) A (Ai => A 2 ) . . . A (A a => A s+ i) 
We now define the formula C" constructed for each clause C ? ', 1 < i < m, of T': 

c'l = r M a r h2 a r i)3 

Note that each C" is Horn and has introduced new variables ccjj^, Wij, Zi for a total of 
3(s — 1) + 3 + 1 = 3s + 1 new variables. The other new variables Aj are global, i.e, reused 
in the formulas for C" for various i. 

For the clauses of the form {^x\ V -iXj) A (x^ V Xj) from T' , where 1 < i < n, we 
introduce new variables for each i where 1 < j < 2s and construct the gadget 4>i = 
</>(xj,x-, A,2, • • • ,A,2s) defined in Equation (4.2). 

Our instance of 5(1, s)-Horn-SAT is then: 

T"= /\ C.f A /\ ^ 

l<i<m l<i<n 

We first show that if T 1 is satisfiable, then T" has a 5-model. Suppose T' had a model 
X'. Extend that to an assignment X" of the variables of T" by setting the values of the 
newly introduced variables as follows: 

Ai = 1 for 1 < i < s + 1, 
Zj = for 1 < i < m, 
= 1 for all i and j, where 1 < i < m and 1 < j < 3, 
Ojj.fc = 1 for all i, j where 1 < i < m, 1 < j < 3, l<fc<s — 1, 
/3jj = for all j, 1 < j < s and all i, 1 < i < n, 
jSjj = 1 for all j, s + 1 < j < 2s and alH, 1 < % < n. 

Since X" satisfies each clause in T", it is a model of T" . We now show that X" is 
actually a <5(1, s)-model. Suppose that some variable v of T" is flipped. We do a case by 
case analysis of the possible repairs to this break. 

[v = Xi or x\ ] No repairs are needed since each implication remains satisfied in T'. 

[v = A{ for some i, 1 < i < s + 1 ] The repairs needed are Ai,A 2 , ■ ■ . , Aj_i (since z\ = 
for all i, it does not need to be flipped) for i — 1 (< s) repairs. 

[v = (3i : j for some 1 < i < n, 1 < j < s ] The repairs are all [3^ where j + 1 < k < s. Since 
X' is a model of T', exactly one of Xi and x\ is set to false and we need to flip just 
that variable. This leads to at most s — j + 1 < s repairs. 

[v = Pij for some I < i < n, s + 1 < j < 2s ] The repairs needed are for all s + 1 < 
k < j and one of Xi or x\ (since X' is a model of T' only one of Xj, x\ is set to true in 
X') for at most j — s < s repairs. 
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[v = Wij for some 1 < i < m, 1 < j < 3 ] The repairs needed are (Xij,k for all 1 < /c < s — 1 
and Vij (if X'(v,^j) = 1), for at most s repairs. 

[v = (Xi,j,k f° r some 1 < i < m, 1 < j < 3, 1 < k < s — 1 ] The repairs needed are Ojj,fc' f° r 
1 < k' < k — 1 and Vij (if X'(vij) = 1) for at most k < s — 1 repairs. 

[v = Zi ] It is this break alone whose repair crucially depends on the satisfiability of T' . 
Note that this break changes Zi from a to a 1 and makes the clause ( —> Z{ V -> iw^i V 
-■Wj^ V -i 11^,3 ) false since each is true in X". So repairs will have to include one 
or more of the tt>ij's, which consequently might trigger flips to a«,j,fc and Vij. The 
choice of which Wij to involve in the repair process is indicated by the v^j set to 
by X' . Since X' is a model, note also that at least one Vij is set to 0. Without loss 
of generality, assume that X'(vi t i) = then repair a break to Zi by flipping w^i, Oj,ij 
for all 1 < j < s — 1 for exactly s repairs. 

Now suppose T" has a 5- model X". We show that T' is satisfiable. Specifically, we claim 
that the restriction of X" to the variables of T' is a model of T'. From Lemma 4.16, we 
know that = for all 1 < i < n, 1 < j < s and f3ij = 1 for all 1 < i < n, s + 1 < j < 2s 
and also ~^x\ x-i in T' is satisfied for each i, 1 < i < n. Note that in T" , Wij is at the 
end of a chain of implications: 

Pk,i -> /3fc,2 ->■■■->■ /3fc, s ->■ ->■ Oj,j,i ->■■■->■ Oj,j,s-i -> (4.5) 

where Vij is either xj~ or for some k,l < k < n. Note that the variables in the above chain 
are from different gadgets - from both (pk and from 1^2- This implies that X"(wij) = 1 since 
otherwise X" would have to set all variables in this chain to and then this would violate 
Lemma 4.16. Since X" is a model of T" , it must be that X"(zi) = 1 for all i, otherwise 
V V -iWi t 2 V -iWig will be false. When z% is flipped, we are guaranteed a repair of 

at most s flips that will make the clause -iZj V -iw^i V -1^,2 V -1^,3 true. This will involve 
flipping at least one of Wij, for j = 1,2,3. If ^,1,^,2 and were all set to true by X" 
(which would in turn have implied that X'^ctij^) = 1 for all 1 < j < 3, 1 < k < s — 1) then 
any such flip would require s additional repairs, for a total of s+1 repairs to a break to Zj. So 
it must be that v^j is false for some j, 1 < j < 3. In other words, Cj' = -ii^i V -1^,2 V -if ^3 
is satisfied by X". Hence the restriction of X" to T' satisfies all clauses of T 1 . Thus T' is 
satisfiable. 

So T' is satisfiable iff T" has a (5(1, s)-model. Since T is satisfiable iff T' is satisfiable and 
T is a SAT instance, this accomplishes the reduction from SAT. This reduction is clearly a 
polynomial time reduction. Since 5(1, s)-Horn-SAT is clearly in NP for fixed r and s, this 
proves that it is NP-complete. □ 

Recall that an dual-Horn formula is a Boolean formula in CNF where each clause has 
at most one negative literal. Not surprisingly, dual-Horn-SAT formulas behave similarly to 
Horn-SAT when it comes to finding (5-models. 

Theorem 4.18. 6(1, s)- dual- Horn- SAT is NP-complete. 

The proof of this theorem is very similar to that of Theorem 4.17: we replace Equa- 
tion (4.3) by r^i = (zi V Wi t \ V Wi t 2 V ^,3) and change the direction of implications in Tj^ 
and Equation (4.4). 
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4.3 Finding (5-models for 0-valid, 1-valid SAT formulas 

Recall that a 0-valid (resp. 1-valid) Boolean formula is one which is satisfied by a model 
with every variable set to (resp. 1). We now consider the complexity of finding fault- 
tolerant models of an input 0-valid (or 1-valid) formula and refer to the corresponding 
decision questions as S(r, s)-0-valid-SAT, <5(r, s)-l-valid-SAT, 5* -0- valid-SAT etc. 

The knowledge that an input Boolean formula is satisfied by some particular assignment 
does not provide information about the presence of fault-tolerant models. Hence we would 
expect (correctly) that finding such models to be NP-hard. We first prove: 

Theorem 4.19. The decision problem <5(r, s)-0-valid-SAT is NP-complete. 

Proof. For the proof, we refer to the proof of Theorem 3.1 which, with slight modification, 
works for this problem as well. We reduce from SAT. Let T be a SAT instance, we construct 
an instance of 5(r, s)-0- valid-SAT, T 1 = T V ->y where y is a new variable not appearing in 
T. Observe that T" is 0-valid (its the value of y that matters). The proof that T' has a 
S- model iff T is satisfiable is identical to the proof of Theorem 3.1: if T is satisfiable and 
has a model X, extend that to a model X' of T' by setting the value of y to 1. Then any 
break consisting of r variables in X' does not require a repair if the r variables involve y. If 
they do not involve y, then flipping the value of y from a 1 to a makes T' true, hence one 
repair suffices. Hence X' is a <5(r, s)-model. If T 1 has a 5(r, s)-model, it must have a model 
with y set to 1. The restriction of that model to the variables of T makes T true, hence T 
is satisfiable. □ 

Similarly, it is easy to verify that the proofs of Theorem 3.1, Theorem 3.2 work when 
the input formula is a 0-valid or 1-valid formula. Hence we have the following: 

Theorem 4.20. The decision problem <5(r, s)- 1-valid- SAT is NP-complete. The problem 
5*(l, 1)- 0-valid- SAT and 5*(1, 1)- 1-valid- SAT are in NEXP and are NP-hard. 

4.4 Finding (5-models for Affine-SAT 

Another class of Boolean formulas that have polynomial time satisfiability checkers is Affine- 
SAT: these are formulas which are a conjunction of clauses, where each clause is an exclusive- 
or (denoted by ©) of distinct literals (a © b = 1 iff exactly one of the Boolean variables a, b 
is set to 1). 

Example 4.2. An example of an Affine-SAT formula is 

(xi © x 2 © x 3 © x 4 = 1) A (x 3 © x 4 = 0) 

This formula has a <5-model X = (1, 0, 0, 0). In fact, X is easily seen to be a (5*-model (which 
is true of all (5-models of Affine-SAT formulas, as we shall shortly see). 

One can find a satisfying assignment for a formula in affine form by a variant of Gaussian 
elimination. We now prove that finding <5-models for affine formulas is also in polynomial 
time. 

Lemma 4.21. An Affine-SAT formula 4> has a 5-model iff (ft is satisfiable and for every 
variable v € V appearing in (j) there exists a variable w = w(v) such that v and w appear in 
exactly the same clauses. 
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Proof. Let X be a 5-model of 4>. If a variable v is flipped, then the clauses that v appears 
in become false, to repair them we need to flip some other variable that appears in exactly 
those clauses (and no others). Thus such a variable pairing must exist. The reverse direction 
is easily proved: if such a variable pairing exists, then the variables form a break-repair 
pair. □ 

Since the conditions of Lemma 4.21 are easy to check in polynomial time, we have the 
following theorem: 

Theorem 4.22. 5(1, 1)-Affine-SAT G P. 

We can, in fact, slightly strengthen our theorem. We first state an analogue of Lemma 4.21, 
where the variable pairings can be easily generalized. 

Definition: The parity of an integer n is n mod 2. 

Lemma 4.23. An Affine- SAT formula 4> has a S(r, s) -model iff (j) is satisfiable and for every 
set R of at most r variables, there exists a set S, S n R = of at most s variables, such 
that for all clauses C of <p, the parity of the number of variables of R appearing in C is the 
same as the parity of the number of variables of S appearing in C. 

We now prove: 

Theorem 4.24. 8(r, s)- Affine- SAT is in P. 

Proof. Since r and s are fixed constants, the conditions in Lemma 4.23 can be checked in 
polynomial time: for each choice of the set R such that R < r, (there are 0(n r ) such sets), 
cycle through each possible set S where \S\ < s,S C\ R = $ (there are 0(n s ) such sets), 
check to see if the conditions of Lemma 4.23 are satisfied (in particular, test whether the 
parity of the variables of R appearing in any clause = parity of the variables of S appearing 
in the clause, which also can be accomplished in polynomial time). 

Hence 8(r, s)-Affine-SAT is in polynomial time. □ 

Theorem 4.22 implies that any (5-model of 4> is actually a <5*-model, since if the pairings 
(u,w(v)) exist, any model of 4> will become a J-model (with {v,w(v)} forming break-repair 
pairs) . 

Hence an Affine-SAT formula has a (5-model iff it has a <5*-model, hence finding a 5*- 
model for Affine-SAT formulas is also in polynomial time. 
We thus have the following theorem: 

Theorem 4.25. 5* -Affine-SAT £ P. 
5. Future Work 

The complexity of <5(r, s)-SAT where r and s are part of the input as opposed to being fixed 
constants is not known. This problem is in the complexity class £3, but is it complete for 
that class? The status of this problem for restricted Boolean formulas like 2-SAT, Horn- 
SAT etc., when r and s are specified in the input is similarly open. At present, we do not 
also know if <5*(r, s)-SAT can be decided in polynomial space when r, s are fixed constants. 

Finally, a practical modification of the concept of (5-models would involve weakening the 
condition to allow for only a high percentage of breaks to be repairable. 
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